RE: 3.1.2 NuGet package

[Cantor, Scott]

> Our intention is to specifically use this platform to deliver the Xerces-C++
> 3.1.2 NuGet package that we have put together so that users of DNV GL -
> Energy software products can have access to it in a public and easily
> accessible repository. We would clearly indicate that the package has been
> put together with this specific goal in mind, and it is for this target 
> audience
> that we would, indeed, be maintaining it.

Then I don't think anybody would have any objections (and even if they did, the 
license permits you to, so apart from courtesy (thanks), there's really nothing 
stopping you.

What I would caution you about is simply the security model around this. If 
somebody were to ask me to obtain a package like this from a source that I had 
no reason to trust, I would tell them they were crazy. To draw an analogy, 
people using Maven Central as a source for artifacts but don't constrain the 
signers of the software they get from it are, well, let's say "ignorant of 
basic security practice".

Without authentication of the source of an artifact (not just authentication of 
an artifact, and that assumes you are in fact signing and people are in fact 
verifying that), you have no way to know what somebody might have done to the 
source.

But none of that really pertains to whether you *may* do this: you certainly 
may.

-- Scott


-
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org

RE: 3.1.2 NuGet package

[Jorge, Tiago]

Hi Scott,

I understand your point.

Our intention is to specifically use this platform to deliver the Xerces-C++ 
3.1.2 NuGet package that we have put together so that users of DNV GL - Energy 
software products can have access to it in a public and easily accessible 
repository. We would clearly indicate that the package has been put together 
with this specific goal in mind, and it is for this target audience that we 
would, indeed, be maintaining it.

We would naturally (as befits the open source spirit) be more than happy for 
other users to download and use the package in their own projects if they find 
that it works for them (and this should be the case, given that it has been 
built directly from unmodified sources).

This would all be clearly explained in the package's description to make users 
well aware of the use case for the package, and letting them know that they are 
completely welcome to use it if it works for them.

Please let me know your thoughts.

Thank you,
Tiago




-Original Message-
From: Cantor, Scott [mailto:canto...@osu.edu]
Sent: 15 August 2016 19:46
To: c-dev@xerces.apache.org
Subject: RE: 3.1.2 NuGet package

> We are now wondering if Xerces-C++ devs are happy for us to upload
> this package to www.nuget.org and, if so, whether there are any
> specific guidelines we should follow or clauses to be aware of in
> order to do this (aside from clearly indicating the obvious bits,
> regarding who is the true author of the code and the license). The
> package is a simple build of the 3.1.2 sources, with no custom
> modifications to the source code, and as such we wish not to take any 
> responsibility over maintenance of the NuGet package.

Speaking as the person who has done the last few releases, and not as a PMC 
member, can you clarify the last sentence?

If you're going to upload something like that, you would most certainly be 
taking responsibility for maintenance of such a package.

Basically, the licensing certainly permits you to do this, but you are the one 
supporting it, not the project. If somebody else on the project or in the 
community would like to support it, that's of course fine with me.

I'm not familair with this site, but if I thought I could get all my project's 
dependencies to use it for Windows, I might be more open to the idea of 
maintaining this one there, but that's not likely to be the case, at least not 
soon.

-- Scott


-
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org


**
This e-mail and any attachments thereto may contain confidential information 
and/or information protected by intellectual property rights for the exclusive 
attention of the intended addressees named above. If you have received this 
transmission in error, please immediately notify the sender by return e-mail 
and delete this message and its attachments. Unauthorized use, copying or 
further full or partial distribution of this e-mail or its contents is 
prohibited.
**

-
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org

RE: 3.1.2 NuGet package

[Cantor, Scott]

> We are now wondering if Xerces-C++ devs are happy for us to upload this
> package to www.nuget.org and, if so, whether there are any specific
> guidelines we should follow or clauses to be aware of in order to do this
> (aside from clearly indicating the obvious bits, regarding who is the true
> author of the code and the license). The package is a simple build of the 
> 3.1.2
> sources, with no custom modifications to the source code, and as such we
> wish not to take any responsibility over maintenance of the NuGet package.

Speaking as the person who has done the last few releases, and not as a PMC 
member, can you clarify the last sentence?

If you're going to upload something like that, you would most certainly be 
taking responsibility for maintenance of such a package.
 
Basically, the licensing certainly permits you to do this, but you are the one 
supporting it, not the project. If somebody else on the project or in the 
community would like to support it, that's of course fine with me.

I'm not familair with this site, but if I thought I could get all my project's 
dependencies to use it for Windows, I might be more open to the idea of 
maintaining this one there, but that's not likely to be the case, at least not 
soon.

-- Scott


-
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org